In one form or another, I have been preparing to write this book for many years. In the most recent of those years, my focus has been on collaborating with NASA personnel on producing detailed guidance about potential ways that the agency could apply enterprise risk and opportunity management to help ensure its success as its mission becomes more complex. This collaboration has resulted in the publication of the NASA special publication report, Organizational Risk and Opportunity Management: Concepts and Processes for NASA Consideration.

In the process of writing that report, my thinking has evolved into considering two extensions of the original NASA purpose. First is how EROM can be applied to other pioneering technical organizations, both nonprofit and commercial, some of whom I have previously worked with on matters of risk and opportunity assessment and management. Second is how EROM can be integrated with the identification, implementation, and evaluation of internal controls, complying with new requirements from the federal government. This book, therefore, builds on the NASA work by extending it to be generally applicable to organizations of all sorts that are concerned with performing pioneering technical research, integrating and operationalizing that research into complex technical systems, and satisfying externally mandated requirements.

One might ask, “Why yet another guidebook on EROM when there have been several others produced during the past 10 or 15 years?” The answer is that the vast majority of the work that has appeared before now has been oriented toward business and financial organizations, whose objectives center on ultimate monetary gain for their company and their stockholders. In contrast, organizations whose principal objective is to develop and implement risky technologies for scientific and technical gain are faced with different kinds of risks and different kinds of opportunities. In many ways, their risks and opportunities are broader and more challenging than those of the traditional commercial business/financial sector, because their successes may produce breakthroughs that benefit the entire world while their failures may correspondingly have negative global implications. Yet they, like commercial business/financial companies, are also faced with the pressure of tight schedules, decreasing budgets, and political vagaries.

Another reason for writing this book is to fill a gap that exists in explaining how the high-level principles of EROM that others have presented (for example, COSO) can be converted into fine-tuned methods and tools. The practice of EROM in pioneering technical enterprises involves working with mostly qualitative data in a realm that is characterized by high uncertainties. The rigorous part of EROM in such an environment is in the strength of the arguments that are made to reach conclusions about how the enterprise should proceed. Thus, a large part of the effort concerns the derivation of the tasks and templates needed to assist in ensuring that the rationale behind the arguments is both sound and comprehensive. Fulfilling this need is one of the focuses of the book.

Government offices like the office of Management and Budget (OMB), the Government Accountability Office (GAO), and the President's Management Council (PMC) are beginning to encourage and even require the use of EROM in federal agencies, while many top-notch educational and research centers are beginning or have already begun to incorporate EROM into their strategic planning. It is hoped that this book will be of particular value in encouraging and informing these efforts.

In the words of Thomas H. Stanton, past president of the Association of Federal Enterprise Risk Management (AFERM), [quoting from the second quarter 2015 AFERM newsletter]: “Among those agencies that face serious budget cuts, those with strong risk management processes are likely to fare much better—in terms of protecting their core missions and the well-being of their constituents and employees—than those lacking the ability to identify, prioritize, and address major risks that may arise without the protections that effective ERM provides.”

Before commencing, I would like to express my special thanks to Dr. Homayoon Dezfuli, Technical Fellow for System Safety and Risk Management at the NASA office of Safety and Mission Assurance, and Chris Everett, Manager of the Technology Risk Management office at Information Systems Laboratories, Inc. (ISL), with whom I collaborated in the formulation of an integrated EROM framework and in the development of the antecedent NASA report through a NASA/ISL blanket purchase agreement (BPA). Special thanks are also due to the following professionals at NASA for reviewing that work and helping to improve its content: Julie Pollitt (retired), Chet Everline, Martin Feather, Sharon Thomas, Emma Lehnhardt, Jessica Southwell (now with the Department of Labor), Prince Kalia, Harmony Myers, Anthony Mittskus, Sue Otero, Wayne Frazier, Kimberly Ennix Sandhu, and Pete Rutledge (retired and now with Quality Assurance and Risk Management Inc.).